Understanding Cyber Risk in the Dental Office. Melissa Moore Sanchez, CIC

Similar documents
HIPAA AND ONLINE BACKUP WHAT YOU NEED TO KNOW ABOUT

Cyber Risks & Insurance

ARE YOU HIP WITH HIPAA?

Determining Whether You Are a Business Associate

Sixth Annual Benchmark Study on Privacy & Security of Healthcare Data

HIPAA / HITECH. Ed Massey Affiliated Marketing Group

Texas Health and Safety Code, Chapter 181 Medical Records Privacy Law, HB 300

HEALTHCARE BREACH TRIAGE

MEMORANDUM. Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know

Preparing for a HIPAA Audit & Hot Topics in Health Care Reform

Business Associate Risk

CYBER LIABILITY REINSURANCE SOLUTIONS

HIPAA COMPLIANCE ROADMAP AND CHECKLIST FOR BUSINESS ASSOCIATES

HIPAA Compliance Guide

The Impact of Final Omnibus HIPAA/HITECH Rules. Presented by Eileen Coyne Clark Niki McCoy September 19, 2013

503 SURVIVING A HIPAA BREACH INVESTIGATION

H E A L T H C A R E L A W U P D A T E

The HIPAA Omnibus Rule and the Enhanced Civil Fine and Criminal Penalty Regime

HIPAA Training. HOPE Health Facility Administrators June 2013 Isaac Willett and Jason Schnabel

AMA Practice Management Center, What you need to know about the new health privacy and security requirements

HIPAA PRIVACY REQUIREMENTS. Dana L. Thrasher Constangy, Brooks & Smith, LLP (205)

HIPAA in the Digital Age. Anisa Kelley and Rachel Procopio Maryan Rawls Law Group Fairfax, Virginia

Healthcare Data Breaches: Handle with Care.

HIPAA Overview Health Insurance Portability and Accountability Act. Premier Senior Marketing, Inc

HIPAA AND YOU 2017 G E R A L D E MELTZER, MD MSHA

Privacy and Data Breach Protection Modular application form

We re Under Cyberattack Now What?! John Mullen, Partner/Co-founder, Mullen Coughlin Jason Bucher, Senior Underwriting Manager, Schinnerer Cyber

STEPPING INTO THE A GUIDE TO CYBER AND DATA INSURANCE BREACH

Cyber, Data Risk and Media Insurance Application form

CYBER LIABILITY INSURANCE OVERVIEW FOR. Prepared by: Evan Taylor NFP

HIPAA Data Breach ITPC

HIPAA The Health Insurance Portability and Accountability Act of 1996

8/14/2013. HIPAA Privacy & Security 2013 Omnibus Final Rule update. Highlights from Final Rules January 25, 2013

True or False? HIPAA Update: Avoiding Penalties. Preliminaries. Kim C. Stanger IHCA (7/15)

RISK TRACK. Privacy and Data Protection

Cyber Risks & Cyber Insurance

"HIPAA RULES AND COMPLIANCE"

RIMS Cyber Presentation

Claims Made Basis. Underwritten by Underwriters at Lloyd s, London

Privacy Rule Primer. 45 CFR Part 160 and Subparts A and E of Part CFR , 45 CFR CFR

Auditing for HIPAA Compliance: Evaluating security and privacy compliance in an organization that provides health insurance benefits to employees

HIPAA HEALTH INSURANCE PORTABILITY & ACCOUNTABILITY ACT

HIPAA Basic Training for Health & Welfare Plan Administrators

HIPAA PRIVACY REQUIREMENTS. Dana L. Thrasher Robert S. Ellerbrock, III Constangy, Brooks & Smith, LLP

HIPAA BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATES AND SUBCONTRACTORS

2011 Miller Johnson. All rights reserved. 1. HIPAA Compliance: Privacy and Security Changes under HITECH HITECH. What is HITECH? Mary V.

How to mitigate risks, liabilities and costs of data breach of health information by third parties

March 1. HIPAA Privacy Policy

DATA COMPROMISE COVERAGE RESPONSE EXPENSES AND DEFENSE AND LIABILITY

Personal Information Protection Act Breach Reporting Guide

HIPAA Privacy & Security. Transportation Providers 2017

HIPAA and Lawyers: Your stakes have just been raised

2016 Business Associate Workforce Member HIPAA Training Handbook

HIPAA: Final Omnibus Rule is Here Arizona Society for Healthcare Risk Managers November 15, 2013

HIPAA. What s New & What Do I Have To Do? Presented by Leslie Canham, CDA, RDA, CSP (Certified Speaking Professional)

HHS, Office for Civil Rights. IAPP October 11, 2012

HIPAA Background and History

HIPAA Privacy, Breach, & Security Rules

H 7789 S T A T E O F R H O D E I S L A N D

Key Legal Issues in EMR, EMR Subsidy and HIPAA and Privacy Click Issues to edit Master title style

New. To comply with HIPAA notice requirements, all Providence covered entities shall follow, at a minimum, the specifications described below.

HIPAA PRIVACY AND SECURITY RULES APPLY TO YOU! ARE YOU COMPLYING? RHODE ISLAND INTERLOCAL TRUST LINN F. FREEDMAN, ESQ. JANUARY 29, 2015.

Cybersecurity Threats: What Retirement Plan Sponsors and Fiduciaries Need to Know and Do

ChicagoLand RIMS Cyber Insurance Coverage Pitfalls and How to Avoid Them

HIPAA & HITECH Privacy & Security. Volunteer Annual Review 2017

HEALTH & HUMAN SERVICES OFFICE FOR CIVIL RIGHTS HIPAA COMPLIANCE AUDITS. What do I need to know?

Effective Date: 4/3/17

AFTER THE OMNIBUS RULE

Evaluating Your Company s Data Protection & Recovery Plan

HIPAA PRIVACY AND SECURITY AWARENESS

The Privacy Rule. Health insurance Portability & Accountability Act

CYBER ATTACKS AFFECTING FINANCIAL INSTITUTIONS GUS SPRINGMANN, AON PAVEL STERNBERG, BEAZLEY

Priciest HIPAA Incidents of 2015

What is a privacy breach / security breach?

Cyber Liability Insurance for Sports Organizations

HIPAA Update. Jamie Sorley U.S. Department of Health and Human Services Office for Civil Rights

Cyber breaches: are you prepared?

You ve been hacked. Riekie Gordon & Roger Truebody & Alexandra Schudel. Actuarial Society 2017 Convention October 2017

ALERT. November 20, 2009


HIPAA THE NEW RULES. Highlights of the major changes under the Omnibus Rule

OLD DOMINION UNIVERSITY PCI SECURITY AWARENESS TRAINING OFFICE OF FINANCE

HITECH and HIPAA: Highlights for Health Departments. Aimee Wall UNC School of Government

UNDERSTANDING HIPAA COMPLIANCE IN 2014: ETHICS, TECHNOLOGY, HEALTHCARE & LIFE

HIPAA Omnibus Rule. Critical Changes for Providers Presented by Susan A. Miller, JD. Hosted by

Assessing and Mitigating Risk Under the HIPAA Omnibus Rule

Assessing and Mitigating Risk Under the HIPAA Omnibus Rule

EXCERPT. Do the Right Thing R1112 P1112

6/7/2018. HIPAA Compliance Simplified. HHS Wall of Shame. Marc Haskelson, President Compliancy Group

NOTIFICATION OF PRIVACY AND SECURITY BREACHES

Cyber & Privacy Liability and Technology E&0

DATA COMPROMISE COVERAGE FORM

HIPAA Privacy and Security Breaches 10 Things To Know

Saturday, April 28 Medical Ethics: HIPAA Privacy and Security Rules

University Data Policies

Protecting Against the High Cost of Cyberfraud

RIGHT TO ACCESS AND SECURITY RISK ANALYSIS. K a t h r y n A y e r s W i c k e n h a u s e r, M B A, C H P C, C H T S

Presented by Marti Arvin Chief Compliance Officer UCLA Health Sciences

"HIPAA FOR LAW FIRMS" WHAT EVERY LAW FIRM NEEDS TO KNOW ABOUT HIPAA

HIPAA & The Medical Practice

Transcription:

Understanding Cyber Risk in the Dental Office Melissa Moore Sanchez, CIC

Data Breaches are Escalating Between February 5, 2005 and May 26, 2012 561,465,563 records containing sensitive personal information have been involved in security breaches! HIPAA Health Insurance Portability and Accountability Act of 1996 Health care organizations must maintain reasonable and appropriate technical and physical safeguards to prevent intentional or unintentional use or disclosure of protected health information Source: Privacy Rights Clearinghouse Chronology of Data Breaches Security Breaches 2005 Present Posted Date: April 5, 2005 Updated Date: May 28, 2012 www.privacyrights.org Safeguards must apply to both transmission of information, as well as storage Cyber Risk Exposures Identify theft from lost or stolen PHI Theft of laptop, Smartphone Employee error Malicious employee intent Inappropriate destruction of patient data HIPAA Requires notification within 60 days of a privacy breach involving an individual s HIPAA-covered personal health Requires business associates to meet most security requirements that previously applied only to covered entities Authorizes State Attorneys General to bring suit for HIPAA violations Requires notification of the Department of Health & Human Services and the media in privacy breaches involving 500 or more individuals U. S. Federal Legislation Sarbanes-Oxley Act On December 8, 2009, the House passed the Data Accountability and Trust Act (H.R. 2221) The legislation would, among other things, require all businesses to implement safeguards to protect reasonably foreseeable data vulnerabilities and to notify customers if their personal information is breached

HIPAA HITECH Act What is the HITECH Act? The Health Information Technology for Economic and Clinical Health (HITECH) Act significantly modified and strengthened many aspects of the HIPAA Security Rule, including the penalties that the U.S. Department of Health and Human Services (HHS) could impose for violations of the HIPAA rules HIPAA HITECH Act It was designed to protect the confidentiality, integrity, and availability of health information which is vulnerable to and must be protected from: Hacker and disgruntled employee abuse Untrained personnel mishandling Exploitation by people not having a need to know Unplanned system outages Burglary and theft Fire, flood, and other natural disasters HIPAA HITECH Penalties For HITECH Act Violations Who is affected and what is the exposure? Covered Entities (CES) include all health care providers (physicians, dentists, therapists, psychologists, pharmacists, etc.), health care clearinghouses, and health plans (i.e., health insurance companies) that electronically store, process or transmit electronic health information (EPHI) A New Civil Monetary Penalty (CMP) System makes monetary penalties mandatory for violations HITECH Act section 13410 (d) Became effective February 18, 2009 Requires civil penalties be funneled back into the Department of Health and Human Services Office of Civil Rights enforcement budget. HIPAA The HIPAA law requires all health care Covered Entities (CES) and their Business Associates (BAS) safeguard the privacy of patient health information. The HIPAA law also requires CES and BAS to implement required security measures to protect patient health information Penalties for HITECH Act Violations Violations range from did not know to willful neglect - not corrected Penalties range from $100 to $50,000 for each violation Penalties are capped at $1,500,000 for each violation

Penalties for HITECH Act Violations Did not know $100-50,000* $1,5 M Cap ** Reasonable cause $1,000 50,000* 1,5 M Cap ** Willful Neglect Corrected $10,000 50,000* 1,5 M Cap ** Willful Neglect Uncorrected 50,000* 1,5 M Cap ** * Each violation ** Penalty cap for multiple violations of an identical requirement or prohibition in a calendar year How Does This Affect Me? Each state s requirements may be different than my practicing state State s laws will supersede if stricter You may have patients living in other states/countries who will need to be contacted State Security Breach Notification Laws Currently 47states (plus Puerto Rico, Washington D. C. & Virgin Islands) require notification after unauthorized access to PHI Many states require notification of state attorney general, state consumer protection agencies, and credit monitoring agencies Some states allow private right of action for violations Many states have their own violation/penalty structure in addition to HIPAA Different countries have their own requirements Data Breach Can Happen to Anyone and It s Happening Everyday Theft or lost laptop, smart phone or flash drive Sensitive information of dozens of patients found in recycling bin Trusted employee selling patient information Burglary resulting in stolen computers IT incident caused patient information to be exposed The server was hacked and records stolen Employee made an error Cloud technology will afford more opportunities Some State Examples Connecticut: Insurance Department Bulletin IC-25 All licensees and registrants of the Department notify the Department (Commissioner) of any information security incident which affects any Connecticut residents as soon as the incident is identified, but no later than five (5) calendar days after the incident. Massachusetts: 201 CMR 17 Protection of Personal Information All businesses that store Massachusetts Residents personal information must develop a written information security program (WISP) Nevada: Mandates that data collectors doing business in Nevada comply with Payment Card Industry Data Security Standards (PCI DSS) California: Augments federal HIPAA provisions Breach requires notice to California Department of Health and affected individuals within 5 days State can fine institution up to $250,000 per violation Allows private right of action Cyber Risk Trends Data breaches are increasing Malicious attacks were up 31% in 2010, from 24% in 2009, from 12% in 2008 Lost/stolen laptops account for 35% of data breaches Negligence (employee errors) leading cause 41% Ponemon Institute, LLC 2010 Annual Study: U. S. Cost of a Data Breach

Industries Most Affected Breach Related Expenses 47% 18% 16% 18% Edu - 18% Gov - 18% Med - 16% Biz - 47% Notification Public Relations Forensics Legal Creating letter Advertising and Legal expenses for Responses to or other notification press releases outside attorney claims or suits Printing or design Call Center Cost of forensic Payment of Operations examinations judgments or Mailing or other settlements transmissions Other services for Cost to remediate affected persons discovered vulnerabilities Credit monitoring Cyber Risk Understanding the Trend Breach Expenses by Activity The findings of this benchmark study pertain to the actual data breach experience of 51 U.S. companies from 15 different industry sectors, all of which participated in the 2010 study. TOP FINDINGS For the first time, malicious or Data breaches in 2010 cost criminal attacks are the most their companies an average of expensive cause of data $214 per compromised record breaches up $10 (5 percent) from last year. For the third straight year The most expensive data direct costs accounted for a breach included in this year s larger proportion of overall data study cost a company $35.3 breach costs million 88% of organizations surveyed had at least one data breach Activity Percent Dollar Investigation & Forensics 11% $23 Audit & Consulting Services 10% $21 Outbound Contact 5% $10 Inbound Contact 6% $13 Public Relations/Communications 1% $2 Legal Services Defense 14% $30 Legal Services Compliance 2% $4 Fee or Discounted Services* 1% $2 Identity Protection Services* 2% $4 Lost Customer Business* 39% $83 Customer Acquisition Cost* 9% $19 Total 100% $214 Research conducted by Ponemon Institute, LLC 2010 Annual Study: U.S. Cost of a Data Breach * Uninsurable costs Ponemon Institute, LLC 2010 Annual Study: Cost of a Data Breach Data Breach Trends Chronology of Data Breaches April 23, 2012 Office of Dr. Gloria Traje-Quitoriano, Fresno, CA Laptop was stolen from her husband s car. The laptop contained patient names, Social Security numbers, dates of birth, phone numbers and addresses. The laptop was not encrypted. Lost laptops account Negligence remains the for 35% of data most common threat, breaches and cost more and an increasingly - $258* per expensive one compromised record - Breaches from negligence in 2010 averaged $196 per record, up $42 (27 percent) from 2009 April 20, 2012 Office of Dr. Rex Smith, Eugene, OR An office burglary that occurred on or around February 19 resulted in the theft of medications and a computer. The computer contained patient names, Social Security numbers, and dates of birth. It is unclear if the computer was encrypted. The total number of patients affected and all types of information exposed are also unclear. April 19, 2012 Cigna Dental, Bloomfield, Connecticut On March 23, 2012, an employee sent an unencrypted document to the personal emails of herself and her son. The document contained the first names of customers and their SS numbers. Cigna became aware of the incident and took immediate action. The employee claimed she sent the document to obtain help with work from her son. She confirmed that both she and her son deleted the email and was fired. April 12, 2012 Perry Dental, Riverside, CA Computer equipment that contained patient insurance information was taken during an office burglary. * Will only go up with Cloud technology and smart phones Research conducted by Ponemon Institute, LLC 2010 Annual Study: U.S. Cost of a Data Breach Published on Privacy Rights Clearinghouse (http://www.privacyrights.org) Today s date: May 29, 2012 http://privacyrights.org/data-breach

Chronology of Data Breaches March 22, 2012 Flex Physical Therapy, Bothell, WA Three computers were stolen on December 30, 2011; One of the computers contained the protected health information of patients. March 22, 2012 Delta Dental, Sacramento, CA The unauthorized disclosure of paper records, sometime around December 22, 2011, may have resulted in the exposure of protected health information. March 22, 2012 Indiana Internal Medicine Consultants, Greenwood, Indiana The February 11, 2012 theft of a laptop resulted in the exposure of protected health information. March 12, 2012 Impairment Resources, LLC, San Diego, CA An office burglary on New Year s Eve 2011 resulted in the loss of hardware that contained sensitive personal information. The full names, addresses, SS numbers and medical information of clients were on the hardware. Impairment Resources notified patients in February and then filed bankruptcy in March. The high cost of handling the breach led directly to the decision to file for bankruptcy. Information Source: California Attorney General March 9, 2012 Office of Dr. David Turner An office burglary resulted in the theft of a laptop and other items. The laptop contained information of current and former patients. It is unclear what type of information the laptop contained. A widespread notification of the breach was released in March after many patients could not be reached by mail. Privacy Liability: What are the Risks? Costs? Cost to notify each affected individual by mail Cost of Credit Monitoring services for individuals whose data has been breached Cost for Call Center to manage calls from affected patients Published on Privacy Rights Clearinghouse (http://www.privacyrights.org) Today s date: May 29, 2012 http://privacyrights.org/data-breach Cyber Risk Exposures Hack, theft or loss of confidential information Appropriately manage forensics after a breach has occurred Obligation to notify patients and monitor their credit record What Additional Exposures Exist? Damage to reputation; a dentist could lose the trust of his or her patients Loss of potential new business Discounted services HIPAA s high standard could be cited in civil litigation thereby creating the potential for even larger criminal and civil settlements Lawsuits from security or technology error that result in damage to your patients Privacy Liability: What are the Risks? Costs? Legal costs to manage federal and state compliance Lawsuits alleging breach of fiduciary duty in violating the right to privacy Expense to hire an attorney to defend the suit, whether frivolous or not Business interruption: cost of managing the crisis How valuable is your time? Your staff s time? It Pays To Do Your Homework Studies show those who took a more rapid response to a breach paid 54% more than companies that took a more surgical approach. Over-notified customers not at risk Customers not at risk lost confidence Quick response spent $268 per record Slower response spent $174 per record 2010 Annual Study: U. S. Cost of a Data Breach Ponemon Institute Benchmark Study

Be Prepared Create a plan, including: Know in advance which state, federal and local law enforcement agencies should be contacted Protect your affected systems for a proper forensic investigation by the experts Know your time constraints for contacting affected patients Legal counsel for compliance issues Legal counsel for defense issues Mind Those Laptops! Laptops may contain large amounts of sensitive information Consider policies against allowing staff to connect their personal laptop or other mobile devices to computer Laptops and other mobile devices frequently have no security or no strong security Be Prepared Disc Drives and Back-up Tapes Know who you would contact to establish: Credit monitoring services Identity theft management Call center Be prepared to respond to media inquiries: Statements to the press Face book Twitter Staff response to calls Organizations may either sell or give away used disc drives. Information may still be accessible, even off of a scrubbed drive. Off-site storage or back-up tapes are fundamental to disaster recovery plans! Are tapes secure from unauthorized access? Is the data warehouse responsible for a breach? Be Prepared Cyber Risk is Here to Stay Make sure your policy is reviewed and adopted by your staff Test, review and update your technical systems regularly Monitor websites for infiltration by malicious code Monitor for malware Watch external access to computers ( e.g. repair personnel) Understand your risk! Call your cyber security insurance carrier

Contact Northwest Dentists Insurance Company 19515 North Creek Parkway, Suite 214 Bothell, WA 98011 www.nordicins.com NORDIC Melissa Moore Sanchez sanchem@nordicins.com Direct: (503) 765-3545 Fax: (425) 481-8604

2024 © financedocbox.com Privacy Policy | Terms of Service | Feedback